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Abstract 


^  Predicate  logic  is  a  powerful  and  general  descriptive  formalism  With  a  long  history 
of  development.  However,  since  the  logic’s  underlying  semantics  have  no  notion  of  time, 
statements  such  as  "/  increases  by  cannot  be  directly  expressed.  V(e  discuss  interval 
temporal  logic  (ITL),  a  formalism  that  augm^  ts  standard  predicate  logic  with  operators  for 
time-dependent  concepts.  Qur  earlier  work  used  ITL  to  specify  and  reason  about  hardware. 
In  this  paper  we  show  how  ITL  can  also  directly  capture  various  control  structures  found 
in  conventional  programming  languages.  Constructs  are  given  for  treating  assignment, 
iteration,  sequential  and  parallel  computations  and  scoping.  The  techniques  used  permit 
specification  and  reasoning  about  such  algorithms  as  concurrent  Quicksort.  We  compare 
ITL  with  the  logic-based  programming  languages  Lucid  and  Prolog. 
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§1  Introduction 


As  a  tool  for  specification  and  reasoning,  predicate  logic  has  many  attractive  features. 
Here  are  a  few: 

•  Every  formula  and  expression  has  a  simple  semantic  interpretation 

•  Concepts  such  as  recursion  can  be  characterized  and  explored. 

•  Subsets  can  be  used  for  programming  (e.g.,  Prolog  [5]). 

•  Theorems  about  formulas  and  expressions  can  themselves  be  stated  and  proved 
within  the  framework  of  predicate  logic. 

•  Reasoning  in  predicate  logic  can  often  be  reduced  to  propositional  logic. 

•  Decades  of  research  lie  behind  the  overall  formalism. 

However,  predicate  logic  has  no  built-in  notion  of  time  and  therefore  cannot  directly 
express  such  dynamic  actions  as 

“/  increases  by  2” 
or 

“  The  values  of  A  and  B  are  exchanged .” 

We  get  around  this  limitation  by  using  an  extension  of  linear-time  temporal  logic 
[6,10]  called  interval  temporal  logic  (ITL).  The  behavior  of  programs  and  hardware  devices 
can  often  be  decomposed  into  successively  smaller  periods  or  intervals  of  activity.  These 
intervals  provide  a  convenient  framework  for  introducing  quantitative  timing  details.  State 
transitions  can  be  characterized  by  properties  relating  the  initial  and  final  values  of 
variables  over  intervals  of  time. 

We  originally  used  ITL  to  specify  and  reason  about  timing- dependent  hardware. 
Moszkowski,  Halpern  and  Manna  [4,7,8]  give  details  about  ITL’s  syntax  and  semantics  and 
also  show  how  to  describe  hardware  ranging  from  delay  elements  up  to  a  clocked  multiplier 
and  an  ALU  bit  slice.  In  this  paper  we  show  how  ITL  can  also  directly  capture  various 
control  structures  found  in  programming  languages.  Constructs  are  given  for  treating 
assignment,  iteration,  sequential  and  parallel  computations  and  scoping. 

§2  Expressing  Programming  Concepts  in  ITL 

This  section  will  show  how  ITL  can  express  a  variety  of  useful  programming  concepts. 
We  assume  that  the  reader  is  familiar  with  the  syntax  and  semantics  of  first-order  ITL  as 
described  by  us  in  [4]  and  [8].  Upper-case  variables  such  as  A  and  I  are  signals  and  vary 
over  states.  Lower-case  variables  such  as  b  and  i  are  static  and  thus  time- invariant.  In 
general,  variables  such  as  A  and  b  can  range  over  all  the  elements  of  the  underlying  data 
domain.  On  the  other  hand,  J  and  n  range  over  natural  numbers.  The  variable  X  always 
equals  one  of  the  truth  values  true  and  false. 
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Assignment 

The  assignment  A  — ►  B  is  true  for  an  interval  if  the  signal  B  ends  up  with  the  signal 
A’s  initial  value.  If  desired,  we  can  reverse  the  direction  of  the  arrow: 

B  ■*—  A  =def  A  B. 


Assignment  in  ITL  only  affects  variables  explicitly  mentioned;  the  values  of  other 
variables  do  not  necessarily  remain  fixed.  For  example,  the  formulas 


and 


are  not  equivalent. 


/-(/  +  2) 
[/•-(/  +  2)]  A 


Example  [Leaving  the  elements  of  a  vector  unchanged ): 

A  vector  U  ends  up  unchanged  iff  all  of  its  elements  end  up  unchanged: 

*  [U  *-U)  m  V  0  <;  *  <  I U\.  (U[i)  -  !/(*]). 

For  example,  if  U  has  3  elements,  the  following  formula  leaves  U  unchanged: 

(U[0]  -  1/(01)  a  (I7[l)  -  17(1])  a  (17(2] «-  1/(2]). 

This  illustrates  a  simple  form  of  parallel  processing. 


Example  ( Swapping  two  variables): 

We  define  the  predicate  A  «->  B  to  be  true  iff  the  values  of  the  parameters  A  and  B 
are  swapped: 


A~B  =def  ((A  +—  B)  a  [B  *—  A)} 


A 


variable  is  swapped  with  itself  iff  it  ends  up  unchanged: 
h  (A  «-*■  A)  =  [A  *—  A). 


If  U  and  V  are  both  vectors  of  length  n  then  U  and  V  are  swapped  iff  their  cor¬ 
responding  elements  arc  swapped: 

►  (P«V)aV0it<n.  (£/[*)  <-  V[t]). 
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Example  ( In-place  computation  of  maximum  of  two  numbers ): 

Let  the  function  max(i,j)  equal  the  maximum  of  the  two  values  t  and  j.  We  cam 
define  max(i,j)  by  means  of  a  condition  expression: 

max(i,j)  =def  *7  *  -  j  then  *  else  j. 

i 

The  following  two  ITL  formulas  are  then  semantically  equivalent: 

I  <—  max{I,  J) 

if  I  >  J  then  (J  «—  I)  else  (J  «—  J) 

Example  ( In-place  sorting): 

Suppose  we  have  a  function  sort(U)  that  given  a  list  U  equals  U  in  sorted  order.  The 
following  predicate  Sort(U)  then  expresses  that  U  is  sorted  in  place: 

Sort(U)  =def  U  4—  sort(17). 

This  is  not  the  only  way  to  express  Sort.  Let  bagval(U)  be  a  function  that  gives  the  bag 
(multi-set)  containing  exactly  the  elements  of  U  and  let  the  predicate  sorted(U)  be  true  of 
U  iff  the  U’s  elements  are  sorted.  An  alternative  way  to  express  Sort  can  then  be  given 
by  the  following  property: 

*=  Sort{U)  —  ( \bagval(U )  bagval(U )]  a  fin[sorted(U)]). 

This  says  that  a  list  is  sorted  in  place  iff  the  list’s  elements  remain  unchanged  but  end  up 
in  order. 

Example  ( In-place  parallel  doubling  of  the  values  of  a  vector’s  elements): 

Here  is  a  formula  that  represents  the  parallel  doubling  of  the  elements  of  a  vector  U : 

Double{U)  =d0f  V  0  <  t  <  \U\.  (I7{t]  4-  2U[i)). 

The  property  below  expresses  Double  recursively: 

t*  Double(U)  =  if  \U\  >  0  then[(head(U)  4—  2head(U))  a  Double(tail(U))]. 

Here  the  function  head[U)  always  equals  U’ s  leftmost  element  and  tail(U)  equals  the 
remainder  of  U : 

head{U)  =dcf  £/(0j  tail{U)  =def  U[  1  to  \U\  -  lj. 

For  example, 

W((l,3,0))  =  l,  ta»7((l,3,0))  =  (3,0). 

The  behavior  of  head  and  tail  on  the  empty  list  ()  is  left  unspecified.  The  logical  construct 
if  W\  then  w<i  is  the  same  as  the  implication  w\  3  W2. 


Example  ( In-place  parallel  reversal  of  vector  elements ): 

The  predicate  Rev{U)  specifies  an  in-place  reversal  of  the  vector  U’a  elements: 

Rev{U)  =der  V  0  <  i  <  n.(f/[t]  -  U[n  -  i  -  1]), 

where  n  =  \U\.  If  the  function  reverse(U)  equals  the  reverse  of  the  vector  U,  we  can 
describe  Rev  as  shown  below: 

N  Rev{U)  =  [U  *-  reverse{U)\ 

The  following  property  expresses  Rev(U)  by  symmetrically  exchanging  pairs  of  U’s  ele¬ 
ments  in  parallel: 

N  Rev(U)  =  V  0  <  t  <  fn  -7-  2"j.  (C/[t]  ♦-+  U[n  —  t  —  I]) 

For  example,  if  the  vector  U  has  5  elements,  then  Rev(U)  is  equivalent  to  the  formula 
(t/[0]  <-  t/[4])  a  (I7[l]  «-  U[Z\)  a  [U[2]  4-  1/(2]). 


The  gets  Construct 

We  now  introduce  the  gets  construct,  which  is  used  for  repeatedly  assigning  one 
expression  to  another: 

A  gets  B  =def  keep(B  =  O  A), 
where  the  operator  keep  is  defined  as 

keep  w  =def  empty  O  w). 

The  effect  of  gets  is  that  B’s  current  value  always  equals  A’s  next  value.  The  keep  construct 
ensures  that  we  don’t  “run  off”  the  end  of  the  interval.  Note  that  gets  is  semantically 
equivalent  to  the  unit  delay 

B  del  A 

described  by  us  in  [4,7,8].  It  is  also  similar  to  the  operator  “followed  by ”  in  the  program¬ 
ming  language  Lucid  (2j. 

Example  ( Synchronous  incrementing  of  a  variable ): 

The  predicate  genn  I  initializes  I  to  0  and  then  repeatedly  increments  /  by  1  until  / 
equals  n: 

getin  I  =,|cr  beg(I  =  0)  a  (/  gets  I  +  1)  a  halt(I  =  n). 


Example  ( Strength  reduction): 

The  next  formula  has  J  run  through  02,  l2, . . . ,  n2. 

gennI  a  /  ss  J2. 

Rather  that  compute  T2  at  each  step,  we  can  initialize  J  to  0  and  continuously  add  2/  + 1 
to  it: 

genn  I  a  beg(J  =  0)  a  J  gets  {J  +  21  +  1). 

This  is  semantically  equivalent  to  the  previous  formula  but  uses  simpler  operators.  These 
formulas  illustrate  a  way  of  treating  strength  reduction  in  ITL.  The  expression  21+1  can 
itself  be  strength-reduced  if  desired. 

Example  ( Assigning  a  list  the  sequence  {0, . . . ,  2 n  —  1)): 

The  combined  formula 

[gen*' I)  a  (L  =  { ))  a  [Lgets  [L\\  {/)]) 

has  the  list  variable  L  end  up  equal  to  the  value  (0, . . . ,  2 n  —  1).  We  use  the  operator  ||  to 
append  two  lists  together.  Here  is  an  example: 

(1,2)11(5,0)  =  (1,2, 5,0). 

Example  ( Simple  pipeline): 

If  U  is  a  numerical  vector  of  length  m  + 1,  the  following  formula  sends  twice  the  value 
of  each  element  of  U  to  the  next: 

V0  ^  t  <  m.  (t/[t  +  1]  gets  2C/[t']). 

For  example,  if  m  equals  3,  this  is  equivalent  to  the  formula 

{U[l)  gets  2<7(0l)  a  (17(2]  gets  2t/(lj)  a  {U[3\  gets  2U[2\). 

This  illustrates  a  way  of  expressing  highly  parallel  pipelines  in  ITL.  By  using  the  quantifier 
V,  we  can  obtain  an  arbitrary  number  of  simultaneously  executing  processes. 

Example  ( Keeping  a  variable  stable): 

The  predicate  stb  A  is  true  if  the  variable  A  has  a  fixed  value  throughout  the  entire 
interval: 

stb  A  =def  36.  (A  6). 

We  can  achieve  stb  by  means  of  gets: 

*  stbA  =  (A  gets  A). 


Example  ( Greatest  common  divisor ): 

The  predicate  GetsGcd  computes  the  greatest  common  divisor  of  two  numbers: 

GetsGcd(M,N)  =dcf  M  gets  [N  mod  M)  a  N  gets  M  a  halt(M  =  0), 

where  the  construct  Aa/t  w  is  true  for  intervals  that  terminate  the  first  time  the  formula 
w  is  true: 

halt  w  =der  B(w  =  empty). 

Thus  haltw  can  be  thought  of  as  a  kind  of  wait-statement.  Here  is  a  corresponding 
correctness  property  for  GetsGcd : 

N  GetsGcd(M,  N)  ?  [N  <-  gcd(M,  N)], 

where  the  function  gcd{ i,  j)  equals  the  greatest  common  divisor  of  i  and  j.  The  following 
property  shows  that  throughout  the  computation,  M  and  N's  ged  remains  stable: 

►  GetsGcd(M,N)  o  stb[gcd(M ,  N)]. 


Measuring  the  length  of  an  interval 
We  can  view  the  formula 

len  =  e 

as  an  abbreviation  for 

3 l\beg{I  =  e)  a  (/  gets  [I  —  1])  a  halt{I  =  0)]. 

The  formula  is  true  exactly  of  intervals  with  length  e  and  illustrates  how  to  localise  or 
“hide”  a  variable  such  as  /  by  means  of  existential  quantification.  This  is  similar  to  a 
begin- block  in  conventional  block-structured  programming  languages.  No  conflicts  arise 
when  such  a  formula  is  combined  with  others  containing  variables  named  I.  Wc  use  this 
technique  elsewhere  in  this  work. 

Example  ( Constraining  the  length  of  a  computation): 

By  using  the  construct  len,  we  can  look  at  the  length  of  computations.  For  example, 
the  formula 

(/  ♦-  I2)  a  ( len  £  I) 

specifics  that  /  is  squared  in  at  most  I  steps. 


Iteration 


An  interval  can  be  broken  up  into  an  arbitrary  number  of  successive  subintervals,  each 
satisfying  some  formula  w.  For  example,  wc  use  the  construct  to3  as  an  abbreviation  for 

V))W,W 

t 

We  can  extend  ITL  to  include  formulas  of  the  form  u>*;  this  is  the  Kleene  closure  of 
semicolon.  Other  constructs  such  as  while-loops  are  also  expressible  within  ITL: 

while  w\  dow 2  =def  [(6e?[tt>i)  a  u/2)*  a  /m(-’iui)] 

ITL  can  also  be  augmented  with  iteration  of  the  form  we  where  w  is  a  formula  and  e  is  an 
arithmetic  expression.  This  repeats  w  for  e  times  in  succession. 

For- loops  are  expressible  by  means  of  while-loops.  For  example,  the  construct 

for  0  <  /  <  n  do  (/  «—  J  + 1) 

can  be  expanded  to 

beg{I  =  0)  a  while  (J  <  n)  do{[J  «-  J  + 1]  a  [/  «-  I  +  1]) 

Example  ( Sequential  doubling  of  the  values  of  a  vector’s  elements ): 

The  following  formula  achieves  the  predicate  Double(U )  by  sequentially  running  through 
the  elements  of  the  vector  U  and  doubling  each: 

N  [for  0  <  K  <  \U\  do  Alter{U ,  K,  2U[K))\  3  Double{U) 

The  predicate  Alter (U ,  i,  a)  sets  the  i-th  element  of  U  to  the  value  o  and  leaves  the  other 
elements  unchanged.  Wc  can  deEne  Alter  in  various  ways.  Here  is  one: 

Alter(U,i,  a)  =dof  VO  <  j  <  |C/|.  [if  i  —  j  then  ( U[j ]  4-  a)  else  (U[j\  *-  C/[;])]. 

Sometimes  a  formal  parameter  of  a  predicate  such  as  Alter  has  behavior  that  is  slightly 
incompatible  with  that  of  the  corresponding  actual  parameter.  For  example,  the  formula 

Alter{U,K,2U[K\) 

contains  the  signals  K  and  2U[K\  where  static  objects  are  expected.  We  therefore  view 
the  formula  as  an  abbreviation  for 

3 i,a.  [beg(i  =  K  a  0  =  2U[K])  a  Alter [U,  i,  a)]. 

This  form  of  temporal  conversion  corresponds  to  call-by-value  in  conventional  programming 
languages. 


Example  ( In-place  sequential  reversal  oj  a  vector ): 

The  next  formula  reverses  U  by  serially  swapping  pairs  of  U's  elements: 

forO  <  K  <  L|£/|  -i-  2J  do  Swap(U,K,  \U\  -K-  1), 

where  the  predicate  Swap(U,t,j)  exchanges  the  t-th  and  j'-th  elements  of  U,  leaving  the 
other  elements  unchanged.  We  can  define  Swap  in  a  manner  similar  to  the  predicate  Alter 
shown  above.  Note  that  sequential  reversal  provides  one  way  to  implement  the  parallel 
reversal  computation  discussed  earlier. 

Example  ( Computation  of  greatest  common  divisor  using  while-loop): 

As  mentioned  previously,  we  can  specify  the  in-place  computation  of  the  greatest 
common  divisor  of  two  variables  M  and  N  as  follows: 

N  <-  gcd(M,  N). 

The  while-loop  below  implies  this: 
while  (M  jA  0)  do 

if  [M  >  N)  then  (Af  N)  else  ([Af  «-  Af]  a  [N  *-  N  —  Af]). 

Example  ( Expressing  gets  using  a  loop): 

The  construct  gets  can  be  expressed  using  iteration: 

N  (A  gets  B)  =  (skip  a  [A  «—  B])*. 

Based  on  the  semantics  of  while-loops  and  the  predicate  gets,  we  can  rewrite  the 
while-loop 

while  (J  0)  do  ( skip  a  [/«—/—  1]  a  [/«-/  +  /]) 
as 

halt(I  =  0)  a  (/  gets  I  —  1)  a  (J  gets  J  + 1). 

This  gives  us  a  decentralized,  concurrent  view  of  the  computation. 

Example  (In-place  partitioning  of  a  vector): 

The  predicate  Parlition(U  I)  specifies  that  the  vector  U  of  numbers  is  reorganized  in 
place  so  that  all  t  ments  ir  .sitions  less  than  the  variable  I  are  less  than  U[I)  and  the 
elements  in  higher  pr>;  iotu>  ore  at  least  as  large  as  U\I\: 

Partition(U ,  /)  ^der  ([6affva/(C/)  *-  bagval(U )]  a  fin[partition(U ,  I)]) 


where  the  predicate  partition{u,i)  is  true  iff  u  is  partitioned  about  the  i-th  element: 
partitionist)  =dcr  VO  <  j  <  |u|.  [(>  >  t)  =  (u[j]  >  «[«])]. 

The  following  property  shows  how  to  achieve  Partition  in  an  algorithmic  manner: 

t 

\=  \if\U\  >  0  then  (Part(U ,I)\[Swap(U ,0,1)  a  (I  *-  /)])]  3  Partition{U ,/). 

We  use  Part  to  partition  tail{U)  into  elements  <  C/[0]  and  >  C/[0]: 

Part(U ,  I)  =def 

3J.  [beg[I  =  1  a  /  =  ]£/ 1  —  1)  a  while  {I  <  J)  do  PartitionStcp(U ,1,  /)]. 

Note  that  Part  uses  a  localized  variable  J.  Each  iteration  step  of  the  while  loop  refers  to 
Partitioned,  I,  J),  which  either  leaves  U  unchanged  or  swaps  U[I\  with  U[J\: 

PartitionStep{U ,  I,  J)  =def 

if  (I U[I\  >  C/[0])  then  [(/♦—/)  A  (/  «—  J  —  1)  a  Swap{U,I,  /)] 
else[[I  -  I  +  1)  a  (J  +-  J)  A  [V  -  17)]. 

Example  ( Parallel  Quicksorting  of  a  vector ): 

Using  the  predicate  Partition,  we  can  describe  an  in-place  Quicksort  algorithm  that 
partitions  a  vector  U  and  recursively  sorts  the  resulting  sections  in  parallel.  The  following 
property  of  in-place  sorting  is  used. 

1=  (}f  \U\  >  0  then  31.  [Partition{U ,  /);  SortParts(U ,  /)])^>  Sort(U), 

where  the  predicate  SortParts  recursively  soTts  the  two  partitions  of  U  in  parallel: 

SortParts(U,j )  =der  Sort(U[0toj  —  lj)  a  Sort(U[j  +  1  to|f/j  —  1])  a  (U[j]  <-  I7[j]). 

Here,  for  example,  the  expression  I7[0toj  —  1]  equals  the  list 

(tf  [0], ....  U[j  —  1]). 

We  leave  the  “pivot”  element  £7[j]  unchanged.  An  actual  implementation  of  this  form  of 
sorting  might  execute  more  sequentially. 

§3  Markers 

As  mentioned  earlier,  we  can  iterate  a  temporal  formula  w  by  means  of  the  construct 


A  useful  variant  of  this  has  an  explicit  Boolean  flag  X  that  is  true  exactly  at  the  end-points 
of  the  individual  iterative  steps: 

begX  a  ([O/iaftX]  a  u>)*. 

Variables  such  as  X  are  called  markers  since  they  mark  off  the  loop's  steps.  We  abbreviate 
the  above  form  of  looping  by  means  of  the  operator  cycle: 

cycleWlw 2  =def  [begwi  a  ([Oha/fu>i]  a  u^)]. 

Here  the  formula  uq  represents  the  marker  and  gives  the  individual  iterative  steps. 
From  the  semantics  of  ITL,  every  loop  has  an  implicit  marker.  For  example,  the  formulas 

(/  «-  /  +  1)*  and  3X.  cycle  X{I  -  J  +  1)* 

are  semantically  equivalent. 

When  a  loop’s  marker  is  made  explicit,  we  can  sometimes  express  the  loop  as  smaller 
mutually  synchronized  loops  that  operate  in  parallel.  For  example,  the  loop 

cycle X{[I  -  /  -  1]  a  [/  <-  J  +  /]) 

can  be  represented  as 

cycle X(I «—  I  —  1)  a  cyclex[J  «—/  +  /). 

The  individual  steps  of  the  loops  start  and  end  at  the  same  times.  This  demonstrates  one 
use  of  markers  since,  for  instance,  the  loop 

([/<-/- 1]  a  (/-/  +  /])* 

is  not  readily  decomposible  without  some  additional  means  of  synchronization. 

If  the  marker  X  is  identically  true,  then  each  step  of  the  loop  is  reduced  to  having 
unit  length.  Thus,  the  construct 

cycletrve{I  *-I-  1) 

is  equivalent  to  the  formula 

{skip  a  [/«—/  —  1])* 
and  therefore  has  the  same  meaning  as 

I  gets  [I  -  1). 

Markers  can  also  be  used  with  while-loops.  We  define  a  while-loop  with  an  explicit 
marker  formula  itq  as  follows: 

whileWl  W2  do  W3  =det  beg  uq  a  while  W2  do  {[O  halt  w\]  a  wj). 

For  instance,  the  loop 

while x  [I  7^  0)  do  ([/+-/-  l]  a  [J*-J  +  /]) 
can  be  alternatively  expressed  by  means  of  the  following  conjunction  of  three  formulas: 
hall{I  =  0)  a  cycle X{I «—/  —  !)  a  cycle x{J  «—/  +  /). 


§4  Data  Transmission 


In  ITL  we  can  use  shared  variables  for  communication  between  different  processes. 
Given  an  interval  and  some  variable  A,  it  is  convenient  to  speak  of  the  trace  of  A.  We 
define  the  function  tr(A)  to  be  the  sequence  of  A’s  values  in  all  but  the  last  state  of  the 
interval: 

tr(A)  =der  ((C*  A):  0  <  j  <  len). 

Thus,  in  an  interval  of  length  2,  the  value  of  ir(A)  is  the  sequence 

{A,  O  A). 

Note  that  in  an  interval  of  length  0,  fr(A)  equals  the  empty  sequence  ().  A  variant  of  fr(A) 
that  doesn’t  ignore  that  interval’s  last  state  can  also  be  defined. 

Example  ( Transmitting  the  elements  of  a  list): 

The  formula  WriteList  j(L)  outputs  the  contents  of  the  list  L  from  left  to  right  into 
the  variable  J: 

WriteListi(L)  =def  (fr(/)  =  L]. 

The  next  property  shows  a  constructive  way  to  achieve  WriteList : 

t=  (keep[I  =  head(L)]  a  L  gets  [tail{L)\  A  halt\L  =  (}]):>  WriteList  i(L). 

The  predicate  ReadList j(L)  is  similar  to  WriteList i[V)  but  requires  that  L  end  up  with 
V s  trace: 

ReadList [{L)  =def  [L  tr(J)]. 

Example  ( Writing  a  set  in  sorted  order): 

The  predicate  Write  Sorted  t(S)  outputs  the  elements  of  the  finite  set  5  in  so:  ted  order 
to  the  variable  I: 

WriteSortedi(S)  =ucf  WriteList  j(sort{S)). 

For  simplicity,  we  assume  that  S  contains  only  numbers.  The  following  formula  gives  a 
way  to  achieve  WriteSorted: 

keep(I  =  min  S)  a  S  gets  (S  —  {/})  a  halt(S  =  {  }). 

The  ITL  keep  construct  ensures  that  the  variable  I  always  equals  the  minimum  element  of 
S  except  perhaps  in  the  computation’s  last  state.  The  gets  subfonnula  continually  deletes 
/’ s  value  from  S.  As  the  computation  runs,  S  is  reduced  to  being  empty.  In  the  combined 


formula 


WriteSortedi(S)  a  ReadListi(L), 

the  list  L  ends  containing  the  initial  elements  of  5  in  sorted  order: 

N  [  WriteSortedi(S)  a  ReadList /(L)]  3  [L «—  sort(S)].  . 

For  example,  if  5  initially  equals  the  set  {3, 5, 1}  then  upon  termination,  L  equals  (l,  3, 5). 
Note  that  bags  (multisets)  can  be  used  instead  of  sets  if  duplicate  data  values  arise. 


Example  ( Synchronous  walk  through  an  S-  expression): 

An  S-expression  is  either  an  atom  or  a  pair  (a,  b)  where  a  and  b  are  themselves  S- 
expressions.  For  our  purposes,  we  restrict  atoms  to  being  nonnegative  integers.  Here  are 
some  simple  S- expressions: 

3,  (4,1),  ((2, 3),  5). 

The  predicate  atom[t)  is  true  iff  the  S-expression  t  is  an  atom.  If  t  is  not  atomic  then  left(t) 
and  right(t)  access  t's  two  parts.  We  can  inductively  define  the  frontier  of  an  S-expression 
as  follows: 

frontier(t)  =d«r  *7  atom(t)  then  ( t )  else  [frontier (left(t))  ||  frontier ( rtff/it (t))] . 

For  instance,  the  frontiers  of  the  S-expressions  given  above  are  respectively 

(3),  (4,1),  (2,3,5). 


The  predicate  Write  Frontier  specifies  that  the  frontier  of  the  S-exprcssion  T  is  output 
to  the  variable  I: 


WriteFrontier  i[T)  =def  WriteListi(frontier[T)). 

The  following  property  shows  how  to  recursively  use  WriteFrontier  to  output  the  frontier 
of  a  static  S-expression  t: 

N  WriteFrontier  j(t)  = 

ifatom[t)  then[beg[I  =  t)  a  sfct'p] 

else  [  WriteFrontier i[left{t))\  WriteFrontier i(right(t))]. 

An  S-expression  T’s  frontier  can  for  example  be  entered  into  a  list  L  as  shown  by  the 
property 


N  [  WriteFrontier  j(T)  a  ReadList i(L)]  3  \L  *— frontier {fT)\. 


§5  Comparison  with  the  Programming  Languages  Lucid  and  Prolog 

The  innovative  programming  language  Lucid,  developed  by  Ashcroft  and  Wadge  [1,2,3] 
is  similar  to  parts  of  ITL.  For  example,  the  ITL  formula 

beg(I  =  0  a  /  =  0)  a  I  gets  [I  +  1)  a  J  gets  ( J  + 1) 

roughly  corresponds  to  the  Lucid  program 

/  =  0  fby  (J  +  1) 

J  =  0  fby  [J  + 1). 

Not  surprisingly,  many  properties  of  gets  involving  such  concepts  as  strength  reduction 
can  also  be  handled  in  Lucid.  On  the  other  hand,  the  Algol-like  ITL  formula 

while  (I  ^  0)  do  ([/«—/  —  1]  a  [J  *-J  +  /]) 

has  no  direct  analog  in  Lucid.  Lucid’s  underlying  semantics  are  rather  different  from 
ITL’s  since  Lucid  uses  a  three- valued  logic  and  has  no  notion  of  global  state.  Instead,  each 
variable  has  an  infinite  sequence  of  values. 

Prolog  [5]  is  based  on  an  interesting  subset  of  predicate  logic  in  which  formulas  can  be 
interpreted  as  applicative  programs.  Because  Prolog  has  no  sense  of  time,  ITL  formulas 
cannet  in  general  be  directly  expressed  in  it.  For  example,  there  is  no  true  analog  in  Prolog 
to  ITL’s  while-loops  and  assigments.  In  practice,  side  effects  are  permitted  in  Prolog, 
although  the  language’s  core  is  not  really  designed  to  handle  them. 

§6  Future  Research  Directions 

Let  use  now  consider  some  aspects  of  ITL  that  require  further  investigation. 

Temporal  types  and  higher-order  objects 

A  theory  of  temporal  types  needs  to  be  developed.  This  should  provide  various  ways 
of  constructing  and  comparing  types.  Given  two  predicates  p  and  q,  we  form  the  predicate 
p  x  q  which  is  true  for  any  pair  whose  first  element  satisfies  p  and  whose  second  element 
satisfies  q.  For  example,  the  formula 

( nat  x  bool)({ 3,  true)) 


is  true.  In  general,  we  write  such  a  test  as 


{3,  true):  [nat  x  bool). 


The  operator  x  extends  to  n-elcmcnt  tuples: 


where  pi,...,pn  are  unary  predicates.  In  addition,  the  construct  pn  is  equivalent  to  n 
repetitions  of  p.  For  instance,  the  test 


a:  nat 3 

is  true  if  a  is  a  triple  of  natural  numbers.  The  predicate  p*  is  true  for  vectors  of  arbitrary, 
possibly  null  length,  whose  elements  alt  satisfy  p.  Thus,  the  type  bool*  is  true  for  all 
vectors  of  truth  values.  The  type  sig(bool*)  is  true  for  any  Boolean  vector  signal  with  a 
possibly  varying  length. 

The  predicate  struct(Xi‘.  p\, . . .  ,Xn:  Pn)  checks  for  tuples  whose  elements  have  field 
names  Xi, . . . , Xn  and  satisfy  the  respective  types  pt, . . .  ,p„.  For  example,  the  predicate 

struct(X:  nat,Y :  bool2) 


is  true  for  the  tuple 


(X:  3,  Y :  (true,  false)). 


Note  that  two  types  can  be  semantically  equivalent.  For  example,  the  types  sig(bool2) 
and  [sig(bool)]2  have  the  same  meaning.  On  the  other  hand,  the  types  sig(bool*)  and 
[513(600/)]*  are  not  equivalent.  The  type  sig(bool*)  is  true  for  any  object  that  is  always 
a  Boolean  vector  signal  with  a  possibly  varying  length.  In  contrast,  the  type  [513(600/)]* 
requires  that  the  object’s  length  be  fixed  over  time: 

►=  A:  [513(600/)]*  =  [A:  5/3(600/*)  a  st6|A|]. 

Type  constructs  of  the  form  p*  have  other  uses.  For  example,  we  can  define  the  predicate 
incr  to  increment  a  variable  I  by  1: 

incr(I)  =dcf  (I  *- I  +  1). 

Then  given  a  vector  U,  the  formula 

U : incr* 

specifies  that  each  element  of  U  is  incremented  by  1  in  parallel.  This  technique  is  similar 
to  the  mapear  function  of  Lisp. 

It  would  be  interesting  to  have  a  semantics  of  higher-order  temporal  objects  such  as 
time-dependent  functionals.  Perhaps  a  suitable  variant  of  proposition  ITL  can  facilitate 
some  sort  of  Godelization  by  representing  all  values  as  temporal  formulas.  Alternatively, 
an  encoding  like  that  used  by  Scott  [11,12]  in  developing  a  model  of  the  typeless  lambda 
calculus  might  work.  However,  we  wish  to  strongly  resist  the  introduction  of  partial  values. 
One  concession  we  make  in  this  direction  is  to  not  require  that  every  function  have  a  fixed 
point. 


Projection 

Sometimes  it  is  desirable  to  examine  a  computation  at  certain  points  in  time  and 
ignore  all  intermediate  states.  This  can  be  done  using  the  temporal  projection  construct 
toi  ntfl2.  For  example,  the  formula 

X  II  (I  gets  [I  +  1]) 

is  true  if  I  increments  by  1  over  each  successive  pair  of  the  states  where  X  is  true.  Variables 
like  X  serve  as  markers  for  measuring  time  and  facilitate  different  levels  of  atomicity.  If 
two  parts  of  a  system  are  active  at  different  times  or  are  running  at  different  rates,  markers 
can  be  constructed  to  project  away  the  asynchrony. 

Other  definitions  of  projection  are  also  possible.  For  example,  a  synchronous  form  can 
be  defined  as  follows: 

w\simw2  ==def  (beg wi  a  finwi  a  [u>i  II 102])- 

This  forces  the  marker  formula  wi  to  be  true  in  an  interval’s  initial  and  final  states.  We 
can  view  this  construct  as  simulating  the  formula  10%  at  at  rate  given  by  w2;  hence  the 
name  “stm.”  For  example,  the  formula 

X  sim  [ReadList i(L)\ 

reads  the  variable  /  into  the  list  L  at  the  rate  indicated  by  X. 

In  section  3,  we  showed  how  to  express  iterative  constructs  by  means  of  markers:  For 
example,  the  following  loop  has  X  as  a  marker: 

cycle  X([I  gets  I  +  1]  a  [/  gets  J  +  /]). 

All  loops  have  implicit  markers  that  are  accessible  through  existential  quantification.  This 
provides  a  general  means  for  identifying  the  end  points  of  the  iteration  steps  and  extracting 
them  using  projection.  We  feel  that  markers  and  projection  provide  a  way  to  decoupled 
low-level  computational  details  from  high-level  ones. 

Tempura,  a  prototype  programming  language  based  on  ITL 

Moszkowski  and  Manna  [9]  present  a  prototype  programming  language  called  Tempura 
that  is  based  on  ITL.  Along  with  the  programming  languages  Lucid  and  Prolog,  Tempura 
has  the  property  of  having  a  semantics  based  on  logic.  Much  work  remains  ahead  in 
exploring  this  temporal  approach  to  language  design  and  developing  practical  techniques 
for  specifying,  executing,  transforming,  synthesizing  and  verifying  Tempura  programs. 
Perhaps  the  state  sequences  of  temporal  logic  can  also  be  used  as  a  convenient  basis  for 
logics  of,  say,  formal  languages,  typesetting  and  music.  More  generally,  temporal  logic 
may  provide  a  semantics  of  both  time  and  space. 
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§7  Conclusions 


Interval  temporal  logic  has  constructs  for  dealing  with  such  programming  concepts 
as  assignment,  iteration  and  computation  length.  Because  ITL  is  a  logic,  programs  and 
properties  can  be  stated  in  the  same  formalism.  Unlike  conventional  first-order  logic,  ITL 
can  directly  express  computations  requiring  a  notion  of  change.  Moszkowski,  Halpern  and 
Manna  [4,7,8]  have  shown  that  ITL  also  provides  a  basis  for  describing  timing-dependent 
hardware  involving  clocking  and  propagation  delay.  ITL-based  programming  languages 
such  as  Tempura  [9]  will  be  able  to  take  advantage  of  this  versatility.  Thus,  ITL  appears 
to  have  a  wide  range  of  application. 

Acknowledgements 

We  wish  to  thank  Martin  Abadi,  Joe  Halpern,  John  Hobby  and  Yoni  Malachi  for 
stimulating  conversations  and  suggestions. 

References 

1.  E.  A.  Ashcroft  and  W.  W.  Wadge.  "Lucid:  A  formal  system  for  writing  and  proving 

programs.”  SIAM  Journal  of  Computing  5,  3  (Sept.  1976),  336-354. 

2.  E.  A.  Ashcroft  and  W.  W.  Wadge.  "Lucid,  a  nonprocedural  language  with  iteration.” 

Communications  of  the  ACM  20,  7  (July  1977),  519-526. 

3.  E.  A.  Ashcroft  and  W.  W.  Wadge.  Lucid,  the  Data  Flow  Programming  Language.  To 

be  published. 

4.  J.  Halpern,  Z.  Manna  and  B.  Moszkowski.  A  hardware  semantics  based  on  temporal 

intervals.  Proceedings  of  the  10-th  International  Colloquium  on  Automata,  Lan¬ 
guages  and  Programming,  Barcelona,  Spain,  July,  1983. 

5.  R.  Kowalski.  Logic  for  Problem  Solving.  Elsevier  North  Holland,  Inc.,  New  York, 

1979. 

6.  Z.  Manna  and  A.  Pnueli.  Verification  of  concurrent  programs:  The  temporal  framework. 

In  R.  S.  Boyer  and  J.  S.  Moore,  editors,  The  Correctness  Problem  in  Computer 
Science,  pages  215-273,  Academic  Press,  New  York,  1981. 

7.  B.  Moszkowski.  A  temporal  logic  for  mutti-level  reasoning  about  hardware.  Proceedings 

of  the  6-th  International  Symposium  on  Computer  Hardware  Description  Languages, 
Pittsburgh,  Pennsylvania,  May,  1983,  pages  79-90. 

8.  B.  Moszkowski.  Reasoning  about  Digital  Circuits.  PhD  Thesis,  Department  of  Com¬ 

puter  Science,  Stanford  University,  1983. 

9.  B.  Moszkowski  and  Z.  Manna.  Temporal  logic  as  a  programming  language.  In 

preparation. 


10.  N.  Rescher  and  A.  Urquart.  Temporal  Logic.  Springer- Verlag,  New  York,  1971. 

11.  D.  Scott.  "Data  types  as  lattices.”  SIAM  Journal  of  Computing  5,  3  (Sept.  1976), 

522-587. 

12.  J.  E.  Stoy.  Denotational  Semantics:  The  Scott-Strachey  Approach  to  Programming 

Language  Theory.  MIT  Press,  Cambridge,  Masachusetts,  1977. 


18 


FILMED 


